WIXLIB

Digicomp Citrix-Day 2015Networking UpdateZürich, 11.11.2015Simeon BosshardCitrix Systems International GmbHv2 March 2015 Citrix Confidential

NetScaler 11- Unified Gateway- SDX- General ImprovementsAgenda 2015 Citrix Confidential CloudBridge- WAN Optimization 7.4- VirtualWAN – WAN Optimization- VirtualWAN / VirtualWAN Center- HDX Optimization

NetScaler 11Unified Gateway 2015 Citrix Confidential

Unified Gateway(Key Use Cases)Access Unification 2015 Citrix ConfidentialSmart Access 2.0PortalCustomizationCVPNInfrastructureClient Plugins

Why Unified Gateway ?Multiple point solutions result in:SaaS– Multiple URLs, Limited or poor end userSGexperience– Complicated and hard to manageADCICAInfrastructure– Multiple islands, limited integrationSSL VPNbetween products/solutionsmVPN– Misconfiguration of security and accessMobile UserpoliciesClient/Server– Re-authentication for all the applications.PublicCloudOn PremDistributed App Infrastructure 2015 Citrix ConfidentialHybridCloud

Unified Gateway - One URL to any application One addressable URL/FQDN “Login Once” and achieve seamless SSO to WebApps, Enterprise Apps,Citrix Apps, CloudApps (Mobile Apps is in the works ) A single pane of glass for Configuration, Security and ControlONEURL 2015 Citrix Confidential

Unified Gateway – Building blocksCitrix AppsSharePointSAML SSOSingle Point of AuthenticationGateway V-ServerOne URL,One IP,Login WA 2015 Citrix Confidential/tmtrackOneBug/ Backstage

Unified Gateway- What’s new in Gateway? Gateway vserver––––can be behind CS vserver.Does not need IP/port.Does not need SSL certs(SSL certs are bound to front end CS vserver)Single point of configuration for all policies(Authentication/authorization/session) Login once– One login for all GW/TM/SaaS apps that are published on gateway portal. Logout once– Single logout for all TM web apps/enterprise apps behind Unified Gateway. 2015 Citrix Confidential

Default theme homepage: 2015 Citrix Confidential

New homepage for Greenbubble theme 2015 Citrix Confidential

Customization 2015 Citrix Confidential

Admin GUI 2015 Citrix Confidential

Portal Customization Wizard flow 2015 Citrix Confidential

Major customizable parameters. Includes CSS styling which will be consistently applied to allpages. Individual pages labels are also customizable. 2015 Citrix Confidential

Authentication Dashboard 2015 Citrix Confidential

Syslog Viewer 2015 Citrix Confidential

SmartAccessC,D,L are applications in this example where C Clipboard access,D Drive mapping and L LPT port access. 2015 Citrix Confidential

SmartControlOverriding capability on NetScaler and the effective policy on Receiver. 2015 Citrix Confidential

What is the difference between SmartAccess andSmartControl? SmartAccess: access to published application controlled in XA/XD policy engine with the help ofsession polices results from the NS. SmartControl: NetScaler becomes a single point of configuration and enforcement. The NS takesthe decision to block access to any features.Looks like anInsecure client !!,let me block theability tocut/copy/pasteRemote insecureclient 2015 Citrix ConfidentialNetScaler withSmartControlRemote Desktop

SmartControl: What can be controlled?All of these features can be controlled.– Client clipboard redirection– Client Drive mapping– Client USB Device Redirection– Client audio redirection– Client COM port redirection– Client LPT port redirection– Client printer redirection– Multi stream– File sharing for Receiver for HTML5 Rather than making the admin configure capabilities on multiple backend XA/XDservers, with SmartControl, NetScaler becomes a single point of configuration. Users can be granted access based on EPA checks. 2015 Citrix Confidential

ConfigurationVPN Plugin 2015 Citrix ConfidentialEPA Plugin

Netscaler Gateway Double HopDeployment: 2015 Citrix Confidential

HDX Insight LAN User ModeXenApp XenDesktop SOCKS ProxyNetScaler Socks Server add cr vserver crvs HDX crvserver IP Port cacheType FORWARD -cltTimeout 180bind appflow global pol2 1 END -type ICA REQ DEFAULTWANSOCKS ProxyXDserverServernetworkSwitchXDserverICA File SettingsProxyType SocksProxyHost crvserver IP : Port ICASOCKSProtocolVersion 0ICASOCKSProxyHost crvserverIP ICASOCKSProxyPortNumber Port 2015 Citrix ConfidentialXA/XD FARM

Client Plugins 2015 Citrix Confidential

RDP Proxy in NetScaler Gateway 2015 Citrix Confidential

RDP Proxy Deployment OverviewLike a launch.ica 2015 Citrix Confidential

Portal Page with RDP Resources 2015 Citrix Confidential

NetScaler 11SDX 2015 Citrix Confidential

Solution - Simplified Upgrade SDX on Citrix supported matrix - Always Singlestep upgrade of the entire SDX with single image Intuitive progress display Reduced customer escalations 2015 Citrix Confidential

First Time User Experience 2015 Citrix Confidential

New Dashboard 2015 Citrix Confidential

NetScaler 11General Improvements 2015 Citrix Confidential

TLS FALLBCK SCSV Mitigation for POODLE attack Prevents attempt to connect to server bydowngrading SSL/TLS protocol Server identifies if SSLv3 is the highest protocolpresent on a client by this parameter33 2015 Citrix ConfidentialPlatformRelease PlanMPX11.0, 10.5b57VPX11.0, 10.5b57VPX onSDX11.0, 10.5b57MPXFIPS11.0, 10.5b57

Customize SSL Default Profile Edit the default SSL profile to handle globalchanges to be applied to all of the SSLvservers and servicesPlatformRelease PlanMPX11.0, 10.5 MR (Q2, 2015) Edit the default cipher group bound to thevservers at one locationVPX11.0, 10.5 MR (Q2, 2015) Enables to reflect changes to multiple vserversand services by changing configuration at onelocationVPX onSDX11.0, 10.5 MR (Q2, 2015)MPXFIPS11.0, 10.5 MR (Q2, 2015) For example disable SSLv3 globally, removeRC4 from default cipher group34 2015 Citrix Confidential

New Cipher Support AES-GCM/SHA-2– Front-end on MPX (PX, N3)– TLSv1.2 only. ECDHE– Back-end on MPX (PX, N3)– Note: ECDHE on front-end GA’ed in 10.1, 10.5 Support on other platforms (FIPS, VPX) coming soon. 2015 Citrix Confidential

PFS Optimizations ECDHE: 120%– 2 ECC Multiplication 1 RSA 2K Sign operation.– More operations offloaded to Cavium card.– Performance with P-256:– Corinth-N3:– Decapolis:8,200 TPS (CPU:12%)65,000 TPS (Expected numbers: Shenick tool limitation, BWC now ready :) DHE:– DH key generation offloaded to card.– Performance with DH-2048bit– Corinth-N3:– Full PFS (no reuse): 9,200 (CPU:10%)– 500 reuse: 15,500 (CPU:11%) 2015 Citrix Confidential

Auto Detection of CertKey Encoding NetScaler can now auto-detect the encoding type and load thecertificate and key.– No need to figure out and give the “–inform” option. Supported Formats: PEM, DER, PFX/PKCS#12 For PFX, with “–bundle” option of “add certkey” command.––––NetScaler will parse the PFX file.Load the server-cert and server-keyLoad all the Intermediate-CA certs present in the PFX fileLink the certificates. 2015 Citrix Confidential

Protocol Support Matrix for TLSv1.1/1.2PlatformsFront-End (Vserver)Back-End (Service)MPX/SDXYESYES[Since 10.0][11.0, 10.5 (MR – June/July)]YESYES[11.0, 10.5.e - 55.8007.e][11.0, 10.5 (MR – June/July)]YESIn-progress[11.0, 10.5 – 57.7][ Q3 ]FIPSVPX 2015 Citrix Confidential

Qualys SSL Labs Report: NetScaler sequel/ 2015 Citrix Confidential

Secure CookieEnhancement 2015 Citrix Confidential

Introduction When cookie persistence is configured on a lb vserver, for a client request NSinsert’s a cookie in the response. Cookie has information about:– Vserver name– Ip address & port of service Based on which a persistent service is selected on subsequent requests fromclient containing the cookie.Vulnerability:The encoded persistence data can be easily guessed by the attackerexposing backend servers information. 2015 Citrix Confidential

2015 Citrix Confidential

CloudBridgeWAN Optimization 7.4 2015 Citrix Confidential

CloudBridge 7.4.x WAN Optimization September:– Transparent Caching – Includes authenticated links– Thinwire support (FP3) – expect LESS bandwidth usage than legacy T/W– ICA Proxy / NSG sandbox – Acceleration for remote users October / November– Zero Touch Factory Ship – DHCP / Command Center support– Office365 acceleration – Support optimization from local POP– SMB3 Optimization – Better pre-fetching and compression Q1/2016– Session Reconnect – full CGP support– Adv. Thinwire / DCR – Better cross session de-duplication 2015 Citrix Confidential

CloudBridgeVirtualWAN – WAN Optimization 2015 Citrix Confidential

WAN Optimization SolutionVirtual WAN SolutionOptimize bandwidth whileaccelerating application deliveryScale bandwidth, ensureavailability, and reduce costs 2015 Citrix Confidential

MPLSWAN Optimization Solution 2015 Citrix Confidential “Accelerate” the WAN by compressing data andoptimizing chatty protocols Use when MPLS connections are the only viableWAN option for security or performance reasons

WAN Optimization SolutionVirtual WAN SolutionOptimize bandwidth whileaccelerating application deliveryScale bandwidth, ensureavailability, and reduce costs 2015 Citrix Confidential

Bonded WAN LinksInternetMPLS4G LTE Bonds WAN connections for increased throughput Use to increase application bandwidth and WANreliability while prioritizing mission critical apps 2015 Citrix ConfidentialVirtual WAN Solution

CloudBridge Virtual WAN Solution OverviewVirtualized WANCloudBridgeCloudBridgeInternet (DIA/DSL/Cable)VPNMPLSVPN4G LTE / Satellite Logically bond multiple, distinct WAN connections into one virtual link Encrypt paths between devices to provide end-to-end security Send packets based upon application needs and link performance 2015 Citrix Confidential

Branch Needs Differ Based Upon LocationHigh latency, very remote locations Single WAN link to branch Without WANOP, cannot deliver apps Today, this is mainly cross-GEO, or forvery remote sites.WAN Op EditionLow latency, local branch locationsBranchData Center 2015 Citrix Confidential Need additional bandwidth WANOp will addlittle valueVirtualWANEdition Want more reliability; may alreadyhave multiple WAN links

CloudBridgeVirtualWAN 2015 Citrix Confidential

Internet and MPLS are both ImportantKey recommendation:“Create a WAN solution that can optimizetraffic flows between the Internet and theMPLS for all applications and between bothinternal and external users.”Gartner Sept 2014 2015 Citrix Confidential

vWAN Architecture Basics The Main Control Node (MCN) is the configuration andmanagement node for the Virtual Network. Except for the initial install all configuration andmanagement are done here. There can be more than one but only one active.MCN54 2015 Citrix Confidential The vWAN Node (VWN) islocated at the Branch sites. Very little configuration can bedone hereVWN

vWAN Architecture Basics Virtual Path Service Aggregate of all Virtual paths WAN link Connects the appliance to the WP WAN Path Connection between NodeMCNWAN Path Service55 2015 Citrix ConfidentialWAN PathvWA

Architecture Basics Internet Virtual links Can be path diverse Multiple paths are not affected by single fail pointVWAMCN56 2015 Citrix Confidential

FlowsvWAN Flows are book-keeping devices: vWAN Flows represent directional flows of traffic across a vWAN vWAN Flows are created for each Session in each direction vWAN Flows are identified by a 6-tuple of Session informationvWAN Flow 6-tuple:Source IP, Destination IP, Source Port, Destination Port, IP Protocol, DSCP tag (optional)57 2015 Citrix Confidential

Virtual WAN is App Fluent Assign App to best path, every dbandInternetMPLS4G/ LTEMid latency, Low latency, Mid latency, FilesOptimized deliveryVoIPMail 2015 Citrix ConfidentialApplication AwareQoS

Virtual WAN is Always Connected Adapt path on network alVoIPVoIPBroadband InternetMPLS4G/ LTEMid latency, XLow latency, Mid latency, Always ConnectedApplication Aware QoS 2015 Citrix Confidential